From 1a64deeb894dc95e2645a75771732c6cc53a79ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Wed, 4 Oct 2023 01:35:06 +0200 Subject: Squash changes containing private information There were a lot of changes since the previous commit, but a lot of them contained personnal information about users. All thos changes got stashed into a single commit (history is kept in a different place) and private information was moved in a separate private repository --- modules/private/system/quatresaisons/databases.nix | 147 --------------------- modules/private/system/quatresaisons/landing.yml | 32 ----- .../private/system/quatresaisons/landing_4c.yml | 24 ---- modules/private/system/quatresaisons/nextcloud.nix | 141 -------------------- 4 files changed, 344 deletions(-) delete mode 100644 modules/private/system/quatresaisons/databases.nix delete mode 100644 modules/private/system/quatresaisons/landing.yml delete mode 100644 modules/private/system/quatresaisons/landing_4c.yml delete mode 100644 modules/private/system/quatresaisons/nextcloud.nix (limited to 'modules/private/system/quatresaisons') diff --git a/modules/private/system/quatresaisons/databases.nix b/modules/private/system/quatresaisons/databases.nix deleted file mode 100644 index f7b27e0..0000000 --- a/modules/private/system/quatresaisons/databases.nix +++ /dev/null @@ -1,147 +0,0 @@ -{ pkgs, config, lib, ... }: -{ - config = let - serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons; - phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; }; - in { - services.postgresql.enable = true; - services.postgresql.package = pkgs.postgresql_12; - services.postgresql.ensureUsers = [ - { name = "naemon"; } - ]; - secrets.keys = { - "ldap/password" = { - permissions = "0400"; - user = "openldap"; - group = "openldap"; - text = "rootpw ${serverSpecificConfig.ldap_root_pw}"; - }; - "webapps/tools-ldap" = { - user = "wwwrun"; - group = "wwwrun"; - permissions = "0400"; - text = '' - custom->appearance['show_clear_password'] = true; - $config->custom->appearance['hide_template_warning'] = true; - $config->custom->appearance['theme'] = "tango"; - $config->custom->appearance['minimalMode'] = false; - $config->custom->appearance['tree'] = 'AJAXTree'; - - $servers = new Datastore(); - - $servers->newServer('ldap_pla'); - $servers->setValue('server','name','LDAP'); - $servers->setValue('server','host','ldap://localhost'); - $servers->setValue('login','auth_type','cookie'); - $servers->setValue('login','bind_id','${serverSpecificConfig.ldap_phpldapadmin_dn}'); - $servers->setValue('login','bind_pass','${serverSpecificConfig.ldap_phpldapadmin_password}'); - $servers->setValue('appearance','pla_password_hash','ssha'); - $servers->setValue('login','attr','uid'); - $servers->setValue('login','fallback_dn',true); - ''; - }; - }; - - users.users.openldap.extraGroups = [ "keys" ]; - services.openldap = { - enable = true; - dataDir = "/var/lib/openldap"; - urlList = [ "ldap://localhost" ]; - logLevel = "none"; - extraConfig = '' - pidfile /run/slapd/slapd.pid - argsfile /run/slapd/slapd.args - - moduleload back_hdb - backend hdb - ''; - - extraDatabaseConfig = '' - moduleload memberof - overlay memberof - - moduleload syncprov - overlay syncprov - syncprov-checkpoint 100 10 - - index objectClass eq - index uid pres,eq - #index uidMember pres,eq - index mail pres,sub,eq - index cn pres,sub,eq - index sn pres,sub,eq - index dc eq - index member eq - index memberOf eq - - # No one must access that information except root - access to attrs=description - by * none - - access to attrs=entry,uid filter="(uid=*)" - by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read - by * break - - access to dn.subtree="ou=users,dc=salle-s,dc=org" - by dn.subtree="ou=services,dc=salle-s,dc=org" read - by * break - - access to * - by self read - by anonymous auth - by * break - ''; - rootpwFile = config.secrets.fullPaths."ldap/password"; - suffix = "dc=salle-s,dc=org"; - rootdn = "cn=root,dc=salle-s,dc=org"; - database = "hdb"; - }; - - services.websites.env.production.modules = [ "proxy_fcgi" ]; - services.websites.env.production.vhostConfs.tools.extraConfig = [ - '' - Alias /ldap "${phpLdapAdmin}/htdocs" - - DirectoryIndex index.php - - SetHandler "proxy:unix:${config.services.phpfpm.pools.ldap.socket}|fcgi://localhost" - - - AllowOverride None - Require all granted - - '' - ]; - services.phpfpm.pools.ldap = { - user = "wwwrun"; - group = "wwwrun"; - settings = - let - basedir = builtins.concatStringsSep ":" [ phpLdapAdmin config.secrets.fullPaths."webapps/tools-ldap" ]; - in { - "listen.owner" = "wwwrun"; - "listen.group" = "wwwrun"; - "pm" = "ondemand"; - "pm.max_children" = "60"; - "pm.process_idle_timeout" = "60"; - - # Needed to avoid clashes in browser cookies (same domain) - "php_value[session.name]" = "LdapPHPSESSID"; - "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin"; - "php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin"; - }; - phpPackage = pkgs.php72; - }; - system.activationScripts.ldap = { - deps = [ "users" ]; - text = '' - install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/phpldapadmin - ''; - }; - systemd.services.phpfpm-ldap = { - after = lib.mkAfter [ "openldap.service" ]; - wants = [ "openldap.service" ]; - }; - }; -} diff --git a/modules/private/system/quatresaisons/landing.yml b/modules/private/system/quatresaisons/landing.yml deleted file mode 100644 index cf4ba87..0000000 --- a/modules/private/system/quatresaisons/landing.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -# Homepage configuration -# See https://fontawesome.com/icons for icons options - -title: "Websites dashboard" -subtitle: "Salle-S" -footer: false -#footer: '

Created with ❤️ with bulma, vuejs & font awesome // Fork me on

' # set false if you want to hide it. - -# Optional navbar -# links: [] # Allows for navbar (dark mode, layout, and search) without any links -links: [] - -# Services -# First level array represent a group. -# Leave only a "items" key if not using group (group name, icon & tagstyle are optional, section separation will not be displayed). -services: - - name: "Quatramaran" - items: - - name: "Roundcube" - logo: "assets/tools/roundcube.svg" - url: "https://quatramaran.salle-s.org/roundcube/" - - name: "Les dessous de paillasse" - url: "https://dessous-de-paillasse.salle-s.org" - - name: "Quatre Saisons" - items: - - name: "Charte d’utilisation" - icon: "fas fa-scroll" - url: "https://4c.salle-s.org/charte/" - - name: "Nextcloud" - logo: "assets/tools/nextcloud.png" - url: "https://nextcloud.4c.salle-s.org" diff --git a/modules/private/system/quatresaisons/landing_4c.yml b/modules/private/system/quatresaisons/landing_4c.yml deleted file mode 100644 index 0b9f6b6..0000000 --- a/modules/private/system/quatresaisons/landing_4c.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -# Homepage configuration -# See https://fontawesome.com/icons for icons options - -title: "Websites dashboard" -subtitle: "Quatre saisons" -footer: false -#footer: '

Created with ❤️ with bulma, vuejs & font awesome // Fork me on

' # set false if you want to hide it. - -# Optional navbar -# links: [] # Allows for navbar (dark mode, layout, and search) without any links -links: [] - -# Services -# First level array represent a group. -# Leave only a "items" key if not using group (group name, icon & tagstyle are optional, section separation will not be displayed). -services: - - items: - - name: "Charte d’utilisation" - icon: "fas fa-scroll" - url: "https://4c.salle-s.org/charte/" - - name: "Nextcloud" - logo: "assets/tools/nextcloud.png" - url: "https://nextcloud.4c.salle-s.org" diff --git a/modules/private/system/quatresaisons/nextcloud.nix b/modules/private/system/quatresaisons/nextcloud.nix deleted file mode 100644 index 89d69d5..0000000 --- a/modules/private/system/quatresaisons/nextcloud.nix +++ /dev/null @@ -1,141 +0,0 @@ -{ lib, pkgs, config, ... }: -let - nextcloud = pkgs.webapps.nextcloud.withApps (a: [ - a.apporder a.audioplayer a.bookmarks a.calendar a.carnet a.circles - a.contacts a.cookbook a.deck a.extract a.files_markdown - a.files_readmemd a.flowupload a.gpxedit a.gpxpod a.keeweb a.maps - a.metadata a.music a.notes a.ocsms a.passman a.polls a.spreed - a.social a.tasks - ]); - varDir = "/var/lib/nextcloud"; - phpFpm = rec { - basedir = builtins.concatStringsSep ":" ([ nextcloud varDir ] ++ nextcloud.apps); - pool = { - "listen.owner" = "wwwrun"; - "listen.group" = "wwwrun"; - "pm" = "ondemand"; - "pm.max_children" = "60"; - "pm.process_idle_timeout" = "60"; - - "php_admin_value[output_buffering]" = "0"; - "php_admin_value[max_execution_time]" = "1800"; - "php_admin_value[zend_extension]" = "opcache"; - #already enabled by default? - #"php_value[opcache.enable]" = "1"; - "php_value[opcache.enable_cli]" = "1"; - "php_value[opcache.interned_strings_buffer]" = "8"; - "php_value[opcache.max_accelerated_files]" = "10000"; - "php_value[opcache.memory_consumption]" = "128"; - "php_value[opcache.save_comments]" = "1"; - "php_value[opcache.revalidate_freq]" = "1"; - "php_admin_value[memory_limit]" = "512M"; - - "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:${basedir}:/proc/meminfo:/dev/urandom:/proc/self/fd:/tmp"; - "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; - }; - }; -in { - config = { - services.postgresql.ensureDatabases = [ "nextcloud" ]; - services.postgresql.ensureUsers = [ - { name = "nextcloud"; ensurePermissions = { "DATABASE nextcloud" = "ALL PRIVILEGES"; }; } - ]; - services.websites.env.production.modules = [ "proxy_fcgi" ]; - - services.websites.env.production.vhostConfs.cloud = { - certName = "quatresaisons"; - addToCerts = true; - hosts = ["nextcloud.4c.salle-s.org" ]; - root = nextcloud; - extraConfig = - [ - '' - SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 - - AcceptPathInfo On - DirectoryIndex index.php - Options FollowSymlinks - Require all granted - AllowOverride all - - - Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" - - - CGIPassAuth on - SetHandler "proxy:unix:${config.services.phpfpm.pools.nextcloud.socket}|fcgi://localhost" - - - - '' - ]; - }; - services.websites.env.production.vhostConfs.cloud_wait = let - content = pkgs.writeText "contenu" '' - nextcloud est un service qui a besoin de pérennité du nom - "nextcloud.salle-s.org", on va peut-etre y arriver, c'est une - question de jours, voir le message informatique.internet:8017 - ''; - in { - certName = "quatresaisons"; - addToCerts = true; - hosts = ["nextcloud.salle-s.org" ]; - root = content; - extraConfig = - [ - '' - Alias / ${content} - '' - ]; - }; - - users.users.root.packages = let - occ = pkgs.writeScriptBin "nextcloud-occ" '' - #! ${pkgs.stdenv.shell} - cd ${nextcloud} - NEXTCLOUD_CONFIG_DIR="${nextcloud}/config" \ - exec \ - sudo -E -u wwwrun ${pkgs.php74}/bin/php \ - -c ${pkgs.php74}/etc/php.ini \ - occ $* - ''; - in [ occ ]; - - system.activationScripts.nextcloud = { - deps = [ "users" ]; - text = let - confs = lib.attrsets.mapAttrs (n: v: pkgs.writeText "${n}.json" (builtins.toJSON v)) nextcloud.otherConfig; - in - '' - install -m 0755 -o wwwrun -g wwwrun -d ${varDir} - install -m 0755 -o wwwrun -g wwwrun -d ${varDir}/config - install -m 0750 -o wwwrun -g wwwrun -d ${varDir}/phpSessions - ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: - "install -D -m 0644 -o wwwrun -g wwwrun -T ${v} ${varDir}/config/${n}.json" - ) confs)} - ''; - }; - services.phpfpm.pools.nextcloud = { - user = "wwwrun"; - group = "wwwrun"; - settings = phpFpm.pool; - phpPackage = pkgs.php74.withExtensions({ enabled, all }: enabled ++ [ all.redis all.apcu all.opcache all.imagick ]); - }; - - services.cron = { - enable = true; - systemCronJobs = let - script = pkgs.writeScriptBin "nextcloud-cron" '' - #! ${pkgs.stdenv.shell} - export LOCALE_ARCHIVE=/run/current-system/sw/lib/locale/locale-archive - export PATH=/run/wrappers/bin:$PATH - ${pkgs.php74}/bin/php -d memory_limit=512M -f ${nextcloud}/cron.php - ''; - in [ - '' - */15 * * * * wwwrun ${script}/bin/nextcloud-cron - '' - ]; - }; - }; -} -- cgit v1.2.3